XSS on google.com

I found yesterday a persistent XSS on http://www.google.com.

Google Security filled a bug after 32 minutes. I will provide more informations about the bug after a fix is released. Very short response times are the normal case for Google's Security Team.



Initial Report: 24. June 2011, 14:43 UTC
Autoresponse from Security Bot: 24. June 2011, 14:43 UTC
First response from Security Team: 24. June 2011, 15:44 UTC

Thanks! We've reproduced this issue reliably too, and we're working to get this resolved as soon as possible. I’ve filed a bug and will update you once we’ve got more information.

Final fix: 10 hours after initial report

This is fixed. It's possible there may be some delays before it's pushed to the various data centers around the world, but it no longer alerts for me.

After 9 months Google added me to the Sustained Support section of his corporate security site.

Here are my personal insights after one year Vulnerability Reward Program with Google:

bug reports

tickets per month